Building a Modern Security Engineering Organization

Continuous deployment and the DevOps philosophy have forever changed the ways in which businesses operate. This talk with discuss how security adapts effectively to these changes, specifically
…

Continuous deployment and the DevOps philosophy have forever changed the ways in which businesses operate. This talk with discuss how security adapts effectively to these changes, specifically covering:

- Practical advice for building and scaling modern AppSec and NetSec programs
- Lessons learned for organizations seeking to launch a bug bounty program
- How to run realistic attack simulations and learn the signals of compromise in your environment

Transcript

1.
Building a Modern Security
Engineering Organization
zane@signalsciences.com
@zanelackey

2.
Who
is
this
guy
anyway?
• Built and led the Etsy Security Team
– Spoiler alert: what this presentation is about
• Recently co-founded Signal Sciences to
productize eﬀective AppSec approaches

3.
This talk is a collection of lessons learned
from building and adapting a security
team

4.
For security teams, the world has changed
in fundamental ways:
– Code deployment is now near-instantaneous

5.
For security teams, the world has changed
in fundamental ways:
– Code deployment is now near-instantaneous
– Merging of development and operations
means more people with production access

6.
For security teams, the world has changed
in fundamental ways:
– Code deployment is now near-instantaneous
– Merging of development and operations
means more people with production access
– Cost of attack has signiﬁcantly dropped

25.
Instead, the focus becomes on
incentivizing teams to reach out to security

26.
Keys to incentivizing conversation:
– Don’t be a jerk. This should be obvious, but
empathy needs to be explicitly set as a core
part of your teams culture.

27.
Keys to incentivizing conversation:
– Don’t be a jerk. This should be obvious, but
empathy needs to be explicitly set as a core
part of your teams culture.
– Make realistic tradeoﬀs. Don’t fall in to the
trap of thinking every issue is critical.
• Ex: Letting low risk issues ship with a reasonable
remediation window buys you credibility for
when things actually do need to be addressed
immediately.

28.
Keys to incentivizing conversation:
– Coherently explain impact. “This would
allow all our user data to be compromised if
the attacker did X & Y” paints a clear picture,
where “The input validation in this function is
weak” does not.

29.
Keys to incentivizing conversation:
– Coherently explain impact. “This would
allow all our user data to be compromised if
the attacker did X & Y” paints a clear picture,
where “The input validation in this function is
weak” does not.
– Reward communication with security
team. T-Shirts, gift cards, and high ﬁves all
work (shockingly) well.

30.
Keys to incentivizing conversation:
– Take the false positive hit yourself. Don’t
send unveriﬁed issues to dev and ops
teams. When issues come in, have the
secteam verify and make ﬁrst attempt at
patch.
– Scale via team leads. Build relationships
with technical leads from other teams so
they make security part of their teams
culture.

31.
Keys to incentivizing conversation:
– Take the false positive hit yourself. Don’t
send unveriﬁed issues to dev and ops
teams. When issues come in, have the
secteam verify and make ﬁrst attempt at
patch.
– Scale via team leads. Build relationships
with technical leads from other teams so
they make security part of their teams
culture.

36.
Methodology:
1. Figure out what capability is needed
2. Build an alternate way to perform the
needed function in a safe way
3. Transition the organization over to the safe
way
4. Alert on any usage of the old unsafe way

37.
Methodology:
1. Figure out what capability is needed
2. Build an alternate way to perform the
needed function in a safe way
3. Transition the organization over to the safe
way
4. Alert on any usage of the old unsafe way

38.
Methodology:
1. Figure out what capability is needed
2. Build an alternate way to perform the
needed function in a safe way
3. Transition the organization over to the safe
way
4. Alert on any usage of the old unsafe way

39.
Methodology:
1. Figure out what capability is needed
2. Build an alternate way to perform the
needed function in a safe way
3. Transition the organization over to the safe
way
4. Alert on any usage of the old unsafe way

41.
Security policy goal: Eliminate unneeded
access to production systems
– Why do developers do it? Ex: To view error logs
– Build alternate approach: Send the logs to
central logging service (ex: elasticsearch,
splunk, etc)
– Publicize the new tooling to the organization
– After majority of transition, alert on any logins to
production systems by non-sysops

42.
Security policy goal: Eliminate unneeded
access to production systems
– Why do developers do it? Ex: To view error logs
– Build alternate approach: Send the logs to
central logging service (ex: elasticsearch,
splunk, etc)
– Publicize the new tooling to the organization
– After majority of transition, alert on any logins to
production systems by non-sysops

43.
Security policy goal: Eliminate unneeded
access to production systems
– Why do developers do it? Ex: To view error logs
– Build alternate approach: Send the logs to
central logging service (ex: elasticsearch,
splunk, etc)
– Publicize the new tooling to the organization
– After majority of transition, alert on any logins to
production systems by non-sysops

44.
Security policy goal: Eliminate unneeded
access to production systems
– Why do developers do it? Ex: To view error logs
– Build alternate approach: Send the logs to
central logging service (ex: elasticsearch,
splunk, etc)
– Publicize the new tooling to the organization
– After majority of transition, alert on any logins to
production systems by non-sysops

49.
Common concerns about launching a
bounty:
1. Budgetary concerns. Money is almost
never the main motivation for researchers,
you can launch a bounty with just a hall of
fame and still get great submissions.
2. Risk of inviting attacks. You’re already
getting attacked continuously, you’re just
not getting the results.

50.
Common concerns about launching a
bounty:
1. Budgetary concerns. Money is rarely the
main motivation for participants, you can
launch a bounty with just a hall of fame
and still get great submissions.
2. Risk of inviting attacks. You’re already
getting attacked continuously, you’re just
not getting the results.

51.
Common concerns about launching a
bounty:
1. Budgetary concerns. Money is rarely the
main motivation for participants, you can
launch a bounty with just a hall of fame
and still get great submissions.
2. Risk of inviting attacks. It’s the Internet.
You’re already getting pentested
continuously, you’re just not receiving the
report.

52.
The ultimate goals of a bug bounty are
threefold:
1. Incentivize people to report issues to you
in the ﬁrst place
2. Drive up cost of vulnerability discovery and
exploitation for attackers
3. Provide an external validation of if your
security program is working (or not)

53.
The ultimate goals of a bug bounty are
threefold:
1. Incentivize people to report issues to you
in the ﬁrst place
2. Drive up cost of vulnerability discovery and
exploitation for attackers
3. Provide an external validation of if your
security program is working (or not)

54.
The ultimate goals of a bug bounty are
threefold:
1. Incentivize people to report issues to you
in the ﬁrst place
2. Drive up cost of vulnerability discovery and
exploitation for attackers
3. Provide an external validation of where
your security program is working (and
where it’s not)

55.
Before you launch, record what vulnerability
classes you expect to see and what you don’t.
Compare this against the issues actually
reported.

56.
Before you launch, record what vulnerability
classes you expect to see and what you don’t.
Compare this against the issues actually
reported.

57.
Keep metrics on:
– Number of bugs reported and severities
– Time to remediation of reported issues
You want both of these metrics to trend down
over time

60.
Practical considerations:
– Your ﬁrst 2-3 weeks will be intense. Have as
many people as you can dedicated to triage
and response

61.
Practical considerations:
– Operationally review any helper systems for
scaling problems beforehand
• When 10-100x traﬃc hits helper systems your
security team uses, what falls over?
– Money almost never the overriding factor,
hall of fame is
– Researchers are generally great to interact
with

62.
Practical considerations:
– Operationally review any helper systems for
scaling problems beforehand
• When 10-100x traﬃc hits helper systems your
security team uses, what falls over?
– Money is almost never the main motivation
for bounty participants, hall of fame credit is
– Researchers are generally great to interact
with

63.
Practical considerations:
– Operationally review any helper systems for
scaling problems beforehand.
• When 10-100x traﬃc hits helper systems your
security team uses, what falls over?
– Money is almost never the main motivation
for bounty participants, hall of fame credit is
– Key to great researcher interaction is
frequent and transparent communication

70.
Four keys to eﬀective attack simulations:
1. Goal oriented
• “Obtain domain admin”, “read the CEOs email”,
“view credit card data”, …
• Ask attack team for input on goals, they’ll come
up with ones you didn’t think of
2. Full ganization in scope
• Have attack team call a contact if they’re about
to do something risky
– several week simulat
– ion

71.
Four keys to eﬀective attack simulations:
1. Goal oriented
• “Obtain domain admin”, “read the CEOs email”,
“view credit card data”, …
• Ask attack team for input on goals, they’ll come
up with ones you didn’t think of
2. Full organization in scope
• Have attack team call a contact if they’re about
to do something risky
– Ex: Instead of throwing an exploit that lands “most of
the time”, grant access to the target system with
temporary credentials

72.
Four keys to eﬀective attack simulations:
3. Simulate realistic compromise patterns
• Start the attack team on a:
– standard laptop/desktop to simulate phishing/clientside
compromise
– database or web server to simulate SQL injection/RCE
• 0days aren’t cheating, they’re reality. Attack team
should be encouraged to use them.
– Break simulation down into iterations:
• Don’t spend the full engagement time on only round
of testing, once one team achieve goal(s), then swap
in new attack team to achieve the same goal(s)
– Ex: We try to run 3-4 iterations per several week
simulation

73.
Four keys to eﬀective attack simulations:
3. Simulate realistic compromise patterns
• Start the attack team on a:
– standard laptop/desktop to simulate phishing/clientside
compromise
– database or web server to simulate SQL injection/RCE
• 0days aren’t cheating, they’re reality. Attack team
should be encouraged to use them.
4. Break simulation down into iterations:
• Don’t spend the full engagement time on only round
of testing, once one team achieve goal(s), then swap
in new attack team to achieve the same goal(s)
– Ex: We try to run 3-4 iterations per several week
simulation

74.
The project output should be attack chains
showing how attack team went from A->B->C
to achieve goals, what steps they took and
why

75.
Just as importantly, what steps they didn’t
take
Ex: “We didn’t try to ﬁnd internal network diagrams
on your wiki because zone transfers were enabled
so we could got enough data about your network
from that”

76.
Remember, the goal is to simulate realistic
attack behaviors and patterns that can be
used to enhance detection